Fix for CONC-345: heap-use-after-free in client_mpvio_read_packet

Kudos to Kentoku Shiba
mariadb-corporation · Jul 5, 2019 · 0f48913 · 0f48913
1 parent 2674447
commit 0f48913
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/plugins/auth/my_auth.c b/plugins/auth/my_auth.c
@@ -353,7 +353,9 @@ static int client_mpvio_read_packet(struct st_plugin_vio *mpv, uchar **buf)
   }
 
   /* otherwise read the data */
-  pkt_len= ma_net_safe_read(mysql);
+  if ((pkt_len= ma_net_safe_read(mysql)) == packet_error);
+    return (int)packet_error;
+
   mpvio->last_read_packet_len= pkt_len;
   *buf= mysql->net.read_pos;
 
@@ -547,7 +549,8 @@ int run_plugin_auth(MYSQL *mysql, char *data, uint data_len,
 
   res= auth_plugin->authenticate_user((struct st_plugin_vio *)&mpvio, mysql);
 
-  if (res > CR_OK && mysql->net.read_pos[0] != 254)
+  if ((res == CR_ERROR && !mysql->net.buff) ||
+      (res > CR_OK && mysql->net.read_pos[0] != 254))
   {
     /*
       the plugin returned an error. write it down in mysql,